Wednesday, May 28, 2008

Hacking Cellular Networks - The Door Is Already Open

A new smart phone hack has been released which is touted to help attackers understand cellular networks and potentially "open the door to hacking the cellular network itself".
Cell networks weren’t built with security in mind, Maynor says. And knowing the frequency of a smart phone means you can also find control channels for the cell towers, Maynor says, many of which carry information such as SMS messages destined to all phones in that cell area, for instance. “It would be the equivalent of turning on a sniffer on a computer for certain types of data,” he says.

The tool itself is interesting, and gathering frequency and channel information is new information that perhaps the cell owner should not have access to. However, the claims that this tool is opening the door to hacking cellular networks is woefully incorrect. That do is already open and doesn't need a tool like this. This tool allows an attacker to go after the over the air (ota) portion of the cellular network. From an attackers perspective, this is not the path of least resistance.

So what is the path of least resistance? Its through the data connection of the subscriber itself. Connect up your phone to a laptop, and use the data connection to browse through the infrastructure of the cellular network. All of the wonderful security issues we've seen over the years are still present in cellular networks too. The bigger problem is that the subscriber connection is often placed inside the cellular network. So all that stuff about a DMZ and strong perimiter doesn't usually apply in cellular networks (it shoud, but in practice thats not what's happening).

Cellular networks should be concerned about security, but not because of this tool. They should be concerned because most every data subscriber has been given direct access into the internal network of the cellular infrastructure. This isn't theoretical stuff, I've tested several major cellular networks throughout the world. These issues are rampant. The telecom people are getting the message though. They're moving in the right direction. Hopefully they are moving fast enough. :)

Take a look at this presentation topic from Hack in the box Dubai 2008.

Real World Attacks Against 3G Networks Using Subscriber Devices

-Michael Coates

Thursday, May 1, 2008

RSS conduit to launch CSRF against MASHUPS

[Substitute "Google" with your favorite mash-up site throughout this article]

RSS feeds are slowly gaining more acceptance among the average Internet user population. Overall, my impression is that the user base is still somewhat small compared to the total Internet user base. Google, and other sites, are offering more convenient methods to access all of your RSS feeds and any other info you need. For Google, consider the Google Reader App and the Google Custom Home Page (portal). Google keeps it simple for the user, sign-in, set everything up and you're good to go. Everytime you go to your Google Home Page you see your RSS feeds and whatever other widgets you added.

There are a few problems that I've noticed here. Who are we trusting to ensure the RSS feeds don't contain malicious data, such as javascript?

Lets look at who could be the good guy and take responsibility:

  • RSS Source: We trust the RSS feed source to restrict input and only deliver safe RSS data.
    -Doubtful. Anyone can serve and RSS feed. Perhaps the bigger feeds want to avoid association with an attack and take some actions. But I doubt the smaller feeds have robust security here.

  • RSS reader widget: The actual RSS reader widget was well developed and concerned about its users, so all output is encoded.
    -Not very likely since anyone can build widgets and we know how often security holes are found in quick and dirty code.

  • Google: Google (or MASHUP X) wants to protect the user's account (since the user is logged in) and output encodes everything on the home page.
    -This is possible. Google has a vested interest to take action here. They want to protect the account of their user base. I can see them taking action to protect their users' cookies and credentials.

I've done some preliminary research on the Google home page and found that Google is taking some action to protect their users. What action is that? They are putting the widgets into individual iframes. Aside from that, not too much. Custom widges can fire scripts within their iframe (tested and confirmed) and poorly designed RSS feeds would likely be vulnerable to execute malicious RSS feed data (haven't tested yet).

Google uses iframes to separate these malicious widgets from accessing the cookie associated with Google. 1 point for google.

However, the attacker knows that a user has to be logged in with the google account to view the homepage. This account is shared with Gmail, Calendar, Reader, and so on. What if the is a CSRF vulnerability in any of these applications? An attacker will place the CSRF attack within the widget or RSS feed and the users will be hit.

More specifically, the CSRF request will be to a google domain page. While the iframe itself does not have access to the google cookies, the browser does. The browser will see the request to page and will happily send along the user's cookie (since they are already logged in to view the google home page). End result, CSRF attack executes to perform whatever bad stuff was possible because of the vulnerability.

In Google's defense they have taken steps to prevent CSRF and I'm not aware of any outstanding issues on the moment. However, this is just an example. This issue can happen in any mashup environment.

-Michael Coates